Regardless of size, businesses today must contend with growing cybercrime perpetrated by hackers looking to steal user credentials, access sensitive data, or extort money. With the global cost of cybercrime projected to reach over $6 trillion by the end of 2021, it’s critical for businesses to get a grasp on major security threats and implement strong mitigation measures.
Here are the top 3 cybersecurity threats businesses face today:
Credential Theft & Business Account Takeover
Typically, phishing attacks occur via fraudulent communications disguised to appear as coming from trusted entities to trick individuals into downloading malware or exposing their credentials.
According to Verizon’s 2021 Data Breach Investigation Report (DBIR), phishing was present in 36% of breaches. It was also the most common type of social engineering, a form of cyberattack that uses deception, manipulation, or psychological play to gain unauthorized access to data.
A key phishing-related threat to organizations is business email compromise, a type of attack where hackers send out emails impersonating a company’s CEO, vendors or other known sources to steal information or extract money. Cybercriminals will often leverage a trend or crisis situation to execute a data breach. For instance, KnowBe4 found that in Q1 2020, as people looked for information about the coronavirus, there was a 600% increase in COVID-related phishing email attacks.
As businesses see an increase in remote work and the use of electronic communication due to the pandemic, phishing remains a major threat to data security.
Malware is a broad term that includes any malicious software designed to damage computer systems and breach data. Ransomware is a common malware that encrypts stolen data to block access till a ransom is paid. The Verizon 2021 DBIR found that ransomware was used in 10% of breaches, more than doubling its frequency from the previous year.
Today, malware attacks have become increasingly sophisticated. Take, for instance, the recent malware campaign that targeted US technology company SolarWinds. Cybercriminals were able to orchestrate a carefully organized supply chain attack that compromised around 18,000 networks, including those of a few federal agencies.
Attacks that involve ransomware can wind up being costly affairs for businesses. One 2020 study found that “the average cost to rectify the impacts of the most recent ransomware attack (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc.) is US$732,520 for organizations that don’t pay the ransom, rising to U$1,448,458 for organizations that do pay.”
It’s important to note that big companies in highly regulated industries, such as financial institutions, are not the only ones vulnerable to malware attacks. In fact, in 2020, roughly 67% of malware victims were small to mid-sized businesses with 1000 employees or less. This means that businesses of all sizes should be wary of such cyber threats.
Credential Theft & Business Account Takeover
Another growing cybersecurity threat is credential theft, a problem further exacerbated by a growing adoption of digital services and internet-based transactions. The Verizon 2021 DBIR found that credentials are one of the most sought-after data types.
Risk factors that fuel this type of cyberattack include password reuse or weak credentials. Password reuse, in particular, is a security issue because it allows hackers to breach multiple accounts within an organization. Attackers can use stolen credentials and passwords to facilitate a business account takeover, gaining control over a company’s bank accounts to initiate fraudulent transactions.
Tips to Mitigate Cybersecurity Threats:
Perform Risk Assessment
Assess your security operations as well as administrative, physical, and technical controls to determine your organization’s security posture
Hold Security Awareness Training:
An effective way to deliver such training to employees is by holding shorter, concise monthly sessions on relevant security topics.
Provide a quick way to report threats:
Make it convenient and easy for employees to report suspected phishing attempts. For example, tools such as ‘phish alert’ buttons allow users to immediately report potential email threats.
Real-time risk identification:
Use risk-based protections and external banners to defend against attacks such as business email compromise. These tools can alert employees that a particular email has been sent from an external domain and offer a risk assessment.
Use a password manager and multi-factor authentication:
Password managers allow users to securely store credentials, generate unique passwords, and more to help combat data theft. It’s also critical to implement a multi-factor authentication system to protect your organization’s information with an additional layer of security.
Adopt a next-generation antivirus product:
These products are generally a superior alternative to signature-based antivirus solutions because they provide protection against fileless or script-based malware attacks. Next-generation antivirus solutions are also capable of detecting persistence and quickly isolating infected devices.
Other technical mitigation measures:
Email sandboxing, browser isolation, network segmentation and group policy hardening are other effective mitigation solutions to safeguard your organization’s systems.
Looking for assistance with protecting your business against today’s top cyberthreats? GraVoc provides expert Information Security services including Penetration Testing services to businesses nationwide. Click the button below to learn more about our services and how we can help.
– External Vulnerability Assessment & Penetration Testing Services
– Internal Vulnerability Assessment & Penetration Testing Services
– Website & Mobile Application Testing
– Social Engineering Services
– Cloud Security Assessment Services
– Red Team, Blue Team, Purple Team Exercises
GraVoc’s Nate Gravel and Mike Kannan will be presenting at this year’s BankWorld on the importance of adversary simulation exercises.
In this video & blog, we discuss the key components of physical security & how your business can incorporate them into your security program.
Do you know the sensitivity level of the data that your business collects? In this blog post and video, we explore the 4 levels of sensitive data and what your business can be doing to safeguard this data.